[Cryptography] Recent improvements on SHA-1 attacks
Stephan Neuhaus
stephan.neuhaus at zhaw.ch
Wed Jan 8 03:52:03 EST 2020
On 1/7/20 12:41 PM, Peter Gutmann wrote:
> An interesting paper has just appeared on the IACR e-print archive:
>
> SHA-1 is a Shambles: First Chosen-Prefix Collision on SHA-1 and Application to
> the PGP Web of Trust
>
> https://eprint.iacr.org/2020/014.pdf
>
> tl;dr: Attacks sped up by a factor of ~16 over previous work, chosen-prefix
> collision for ~$75k and 2 months effort.
>
> It's a long (32 pages) but interesting read. The only thing I have a bit of
> an issue with is the conclusion:
>
> SHA-1 signatures now offers virtually no security in practice
>
> It should really be "SHA-1 signatures where the attacker has two months time
> and tens of thousands of dollars (there are some cheaper options than $75k) to
> prepare a forgery offer no security in practice".
But admittedly, the way that software systems are used these days, it's
positively likely that among all of the users of a particular popular
system (e.g., git) there are some where an adversary would think the
investment worthwhile.
> Even then, the demonstrated attack relies on the ability to stuff arbitrary
> garbage data into the signed message (in this case into a JPEG image after the
> End-of-Image marker), so add:
>
> "... and the ability to stuff arbitrary attacker-chosen data into the signed
> message..."
>
> to that.
Oh sure, TLS will probably not be affected by this, but there are tons
of protocols and file formats that will be. After reading PoC||GTFO, I'm
thinking that there is almost nothing that can't also be a PDF.
Cheers
Stephan
More information about the cryptography
mailing list